let's go with a go rat! - botconf 2020 · 2018-12-09 · functions golang (mostly spotted)...
TRANSCRIPT
Dec 2018
Copyright©LACCo.,Ltd.AllRightsReserved.
Yoshihiro IshikawaShinichi Nagano
Let'sgowithaGoRAT!
Copyright©LACCo.,Ltd.AllRightsReserved.
Whoarewe?
• Organization:LACCo.,Ltd.(lac.co.jp)• Department:CyberEmergencyCenter• JobTitle:CyberThreatAnalystandhandler
YoshihiroIshikawa(CISSP)
• Department:CyberEmergencyCenter• JobTitle:CyberThreatAnalystandhandler
ShinichiNagano(GREM)
Copyright©LACCo.,Ltd.AllRightsReserved.
Agenda
n Purposen AstudyofGolanguage(GoLang)n wellmessanditsdetailn wellmessC2trafficsimulation(DEMO)n Preventionmethodn Conclusion
Copyright©LACCo.,Ltd.AllRightsReserved.
Purposen wellmessmalwareanditsbotnetiscurrently
stillcategorizedasanunknownGolangmalware
n severalincidentcasesthatwehandledfromJanuary2018
n Notdetected[2]bysecuritysoftwareuntilwepublishedanalysisreport[1]aboutJune2018
Wewouldliketointroducetheanalysisresultof"wellmess"Andnowhopefullywillbeusefultopreventtheattackinthefuture.
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
A study of Golang executable
Copyright©LACCo.,Ltd.AllRightsReserved.
WhataboutGolang
n Go[3]isanopensourceprogramminglanguagedevelopedbyGoogleInc.in2009,inourpresentationwecallitas“GoLang”.
n Currentstableversion1.11.2n RunonvariousplatformssuchasLinux,Mac,Windows,Androidn Golangmalware
n Mirai(C2/Server)isoneofthemostfamousn OtherwisesuchasLady[4],GoARM.Bot[5],GoAthenaRAT[6],Encriyoko[7],
Copyright©LACCo.,Ltd.AllRightsReserved.
Golangexecutablescharacteristics
n Goexecutablesishugefilesize(evenpackedbyUPX[8]<4Mb)n Functionnameisleftintactintheexecutablefiles(inmanycases)n Thecharacterstringbecomesonecontinuousblock(go1.8higher)
NotstrippedfunctionName continuousblock
Copyright©LACCo.,Ltd.AllRightsReserved.
ThefunctionnamescanbespecifiedbyusingIDAGolangHelper[9]inIDAPro[11].
AfterBefore
Renamefunctions
Golangexecutablescharacteristics-2
Copyright©LACCo.,Ltd.AllRightsReserved.
Noteverystring-blobcanbeseparatedIDAGolangHelper,soweneedtodoitmanually
Golangexecutablescharacteristics-3
splitvalues
Possible
Impossible
Nosplitvalues…
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
wellmess and its detail
Copyright©LACCo.,Ltd.AllRightsReserved.
What’saboutwellmesswellmessisaRATcodedonGoLangonmultipleplatformoperatingsystems.
n C2Functionsn CommandExecution(RCE)n FileUploadandDownload
n Identificationn Lang:GoLang(main)&.Net(minorversiononly)n Type:Windows32/64-bitExecutable(thesemainslides)&ELFx64(Appendix:C)n Characteristic:
n CompiledwithUbuntu(go1.8.3),Windows(go1.8)n "wellmess”namingiscomingfrom"WelcomeMessage”(attacker’sthought)n UsageofIRCtermslike“welcomemessage”,“bot”,“chat”or“join”etc
Copyright©LACCo.,Ltd.AllRightsReserved.
Typostrings
Doeshemeanschoice?
Doeshemeanswelcomemessage?
DoeshemeansMozilla?
Copyright©LACCo.,Ltd.AllRightsReserved.
Specificcharacteristicstrings
differentpackagenameC2server
SupportsJapanese,KoreanandChinese
Copyright©LACCo.,Ltd.AllRightsReserved.
SpecificUser-Agents
n Mozilla/5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/41.0.2228.0Safari/537.36
n Mozilla/5.0(X11;U;Linuxx86_64;ja-JP;rv:1.9.2.16)Gecko/20110323Ubuntu/10.10(maverick)Firefox/3.6.16
n Mozilla/5.0(Macintosh;IntelMacOSX10_9_3)AppleWebKit/537.75.14(KHTML,LikeGecko)Version/7.03Safari/7046A194A
n Mozilla/5.0(X11;OpenBSDamd64;rv:28.0)Gecko/20100101Firefox/28.0n Mozzila/5.0(WindowsNT6.1;WOW64;rv:56.0)Gecko/20100101Firefox/
56.0n Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;
FunWebProducts)
EachwellmesshadadifferentUser-Agentshard-coded.
Copyright©LACCo.,Ltd.AllRightsReserved.
welmessdoesn’thavelateralmovementfunction,forthatpurposetheattackerwasusinganothertool,insomecasestheyusedgost[13],atunnelingtoolswrittenbyGolang
Victim
Attacker
Lateralmovement
Copyright©LACCo.,Ltd.AllRightsReserved.
(toolong,redacted)Payload(DLLfile)isencrypted
ReplacestringsandBase64,decryptRC6PayloadDLLfileisloadedandexecutedusingAppDomainCreateInstanceAndUnwrapmethodutilizingProxyclass.
Otherversion:compiledwith.NETwellmessdnSpy[13]
Copyright©LACCo.,Ltd.AllRightsReserved.
Otherversion:Thepayloadof.NETwellmess
HassimilarfunctionsasperinGolangversion
.NETversionRCEisalsousingPowershellmethodswhicharenotfoundintheGolangversion
Copyright©LACCo.,Ltd.AllRightsReserved.
Functions Golang(mostlyspotted) .NET(severalcasesonly)
SupportOS Windows,Linux,(NAS) Windows
Encryption RC6,AES,RSA,obfuscation RC6,AES,RSA,obfuscation
Botcommands CommandExecutionFileUploadandDownload
CommandExecutionFileUploadandDownload
HowtoCommandExec CMD(Windows)Execve(Linux)
PowerShell,CMD
C2Protocol HTTP,POST,Cookie HTTP,POST,Cookie
Packer UPXornone OriginalPacker(bytesobfuscator)
Latestversion(ITW)#VirusTotalFirstSubmission
2018-10-02 2018-07-25
ComparisonofGolangand.NETwellmess
BotfunctionsisalmostthesameamongGolangand.NETWethinkthatthemainwellmessusedbyanattackerisGolang
Copyright©LACCo.,Ltd.AllRightsReserved.
Functions Golang(mostlyspotted) .NET(severalcasesonly)
SupportOS Windows,Linux,(NAS) Windows
Encryption RC6,AES,RSA,obfuscation RC6,AES,RSA,obfuscation
Botcommands CommandExecutionFileUploadandDownload
CommandExecutionFileUploadandDownload
HowtoCommandExec CMD(Windows)Execve(Linux)
PowerShell,CMD
C2Protocol HTTP,POST,Cookie HTTP,POST,Cookie
Packer UPXornone OriginalPacker(bytesobfuscator)
Latestversion(ITW)#VirusTotalFirstSubmission
2018-10-02 2018-07-25
ComparisonofGolangand.NETwellmess
BotfunctionsisalmostthesameamongGolangand.NETWethinkthatthemainwellmessusedbyanattackerisGolang
data.replace("+","").replace("","=").replace(".","").replace("","").replace(",","+").replace(":","/")referencebyJPCERT/CC[15]
Copyright©LACCo.,Ltd.AllRightsReserved.
Golangversion<;(?P<key>[^;]*?);>(?P<value>[^<]*?)<;[^;]*?;>.NETversion<;(?<key>[^;]*?);>(?<value>[^<]*?)<;[^;]*?;>
BotcommandssyntaxwellmessusestagsinXMLformattocommunicatetagC2commandsFollowingisregularexpressionmatchingrulesofthetags
Copyright©LACCo.,Ltd.AllRightsReserved.
BotcommandsTag Command Functions
<;head;> C Usedwith<;service;>tag
G C2serveracceptance
<;service;> p (Re)InitializeAESkeyandSendingHostInfo
fu Fileupload(fromC2tobot)
fd Filedownload(frombottoC2)
m Changethedivisionsizepercommunication
u Changeuser-agent
<;title;> a:x_x Itemnumberinformationofdividedcommunication
rc WaitingC2command
<;body;> Payloadpartaddedtothecommand
Copyright©LACCo.,Ltd.AllRightsReserved.
Botcommandssamples
<;head;>57494e2d3550464b544835345154517c636f6e736f6c657c57494e2d3550464b544835345154517c75736572e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/p<;head;><;title;>a:1_0<;title;><;service;>p<;service;>
AOyniCcS=1bLTL+NuPy0+%2CeDJx+1Q%2Cm0+1zZ8a+uj84J+VLbRk+tYH8v+pCeL6+gRkR;D9y5yGqO=G+B%3AbW%3Ao.+Y8GDHj+K2QKny+WZ2vQZ+L1v84h+p3P1qT.+Z8auj8+4JVLbR+ktYH8v+pCfbOO+ZDq577.+LySyuj+30PqHX+%2CXho8Z+YzBMr8+tQIevh.+rxEbIz+OVIVRP+x9DfH6+duxldn+PKi3f4.+y%2CI6td+RfavbR+67eQVw+twTN%3AI+HB1vPy.+hWzm2f+ASQlzB+Jiz9pt+EzNRQA+fRv1mL.+pziFHi+vzbux9+VA2zkY+8Ve9rz+T0u8jb.+1LH0%2Cx+WDpcVw+TIJjDV+5Dy6Mx+GTUarDtVk+++
DecryptedCookieheader
Copyright©LACCo.,Ltd.AllRightsReserved.
C2trafficcommunicationC2C2
1
Thereare4stepsuntilcommand&controlcommunication1.BotsendsAES+iv+HostInformation
1 .̓C2 acceptance2.BotsendsHostInformation
2 .̓C2 acceptance3.BotsendsreadysignaltoRCE
3 .̓C2 send RCE4.BotsendsresultofRCE
4 .̓C2 acceptance
2
3
4
1’
2’
3’
4’
Bot
Wemustpreparethehard-codedRC6keyandchangingRSApublickey
Copyright©LACCo.,Ltd.AllRightsReserved.
C2trafficcommunication-1CookieHeader:InfectedHostInformationinRC6
1
C2C2
POSTBody:AES+ivinRSApublickey
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
1
C2C2
C2trafficcommunication-1
“p”meansInitialphase Phase1of2
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
1
C2C2
C2trafficcommunication-1
HexDump
NULLofSHA256hash
InfectedPCInformation
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
1
C2trafficcommunication-1Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2trafficcommunication-1'
1
C2C2
1’ CookieHeader:C2ServerresponseinRC6
“G”meansjustreceived
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-2
1
21’
CookieHeader:InfectedHostInformationinRC6
POSTBody:HostInformationinRSApublickey
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-2
1
21’
Phase2of2
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-2
1
21’
Bot
ComputerName
Mode
UserDomain
UserName
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
POSTBody:Itlookslikenodataisincluded
C2trafficcommunication-3
1
2
3
1’
2’
CookieHeader:standbytoreceiveC2Command
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-3
1
2
3
1’
2’“rc”meanstostandbyreceivingC2command
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-3'
1
2
3
1’
2’
3’
POSTBody:C2CommandinAES
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-4
1
2
3
4
1’
2’
3’
POSTBody:ResultofC2CommandinAES
CookieHeader:splitblocknumberinRC6
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-4
1
2
3
4
1’
2’
3’ Phase1of1
Bot
Copyright©LACCo.,Ltd.AllRightsReserved.
C2C2
C2trafficcommunication-4Bot
TheJapanesefontisgarbled
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
wellmess C2 traffic simulation DEMO
Copyright©LACCo.,Ltd.AllRightsReserved.
Importnotesn ItisforbiddeninJapantoshareanyformofanymaliciouscode
withoutthewrittenacknowledgementfromandtothelawenforcement.
n InthisdemonstrationthereisapossibilitytheusedPoCcodecanbemisusedtocontrolarealalivemalware,thereisariskformalicioususedifthisPoCleaks,itisconsideredasmaliciouscode.
n Duethecircumstancesabove,wecannotsharethesourcecodeusedforthisdemonstration,however,thisdemonstrationitselfisexplainingenoughdetailstoproofingtheconceptoftheC2communicationtraffic/protocolusedbywellmessmalware.
Copyright©LACCo.,Ltd.AllRightsReserved.
PreventionandDetectionn C2trafficconnectioninnetworkdetection
n wellmesstrafficdetectatusingSuricata[16]orsnort[17]
n Staticanddynamicdetection
n YARA[18]
n wellmessmalwarecanbedetectedandidentified.BytheYARArule(willbeintroducenextslide)
n EDRn PowershellandcmdwellmessexecutioncanbetracedbyEDRlogorprocesstree
alerttcp$HOME_NETany->$EXTERNAL_NETany(msg:"wellmessC2trafficdetection!";content:"Accept-Encoding|3a20|gzip";content:"POST/HTTP/1.1";pcre:"/Cookie\x3a[a-zA-Z0-9]{8}=/";content:"Content-Type|3A|application|2F|x-www-form-urlencoded|3b|charset|3d|utf-8";sid:1000000;)
Copyright©LACCo.,Ltd.AllRightsReserved.
YARArules(onecase)
rulewellmess_go{meta:author="LACCo.,Ltd."strings:$mz={4D5A}$elf={7F454C46}$str1="botlib.FromNormalToBase64"$str2="botlib.AES_Encrypt"$str3="botlib.UnpackB"$str4="botchat.go"$str5="choise.go"$str6="wellmess.go"condition:($mzat0or$elfat0)andanyof($str*)}
rulechatbot_net{meta:author="LACCo.,Ltd."strings:$mz={4D5A}$str="Startbot"wide$str2="ROL"$str3="ROR"$str4="FromBase64ToNormal"$str5="FromNormalToBase64"$str6="SSL"condition:($mzat0)andallofthem}
ForGolang For.NET
Copyright©LACCo.,Ltd.AllRightsReserved.
EDRtracingforwellmessinfection
WindowsDefenderATP[19]
MachineTimeline
Copyright©LACCo.,Ltd.AllRightsReserved.
Conclusion
n wellmessisaRATcodedonGoLangand.NET,aRATcontrolledbytheC2botnet.
n Wehaveconfirmedsomecaseswherewellmessinfectionwasfoundintargetedorganizations.So,Attacksusingthemalwaremaycontinueinothercountries.
n FortheinformationsharingwithOPSEConaglobalscale,youaremorethanwelcometocontactus!
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixA-Reference1. https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf2. https://www.virustotal.com/ja/file/
0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193/analysis/3. https://golang.org/4. https://news.drweb.com/show/?i=10140&lng=en5. http://blog.0day.jp/2014/09/linuxgoarmbot.html6. https://blog.talosintelligence.com/2017/02/athena-go.html#more7. https://www.symantec.com/connect/blogs/malware-uses-google-go-language8. https://upx.github.io/9. https://github.com/sibears/IDAGolangHelper10. https://www.hex-rays.com/products/ida/11. https://www.paterva.com/web7/12. https://github.com/ginuerzh/gost13. https://github.com/0xd4d/dnSpy14. https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html15. https://suricata-ids.org/16. https://www.snort.org/17. http://virustotal.github.io/yara/18. https://www.microsoft.com/en-us/windowsforbusiness/windows-atp
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixB-IOC
n Golangn efda5178286678794b40987e66e686cen 6fd56f2df05a77bdfd3265a4d1f2abacn b981736a057b888170148a91bcd86a59n 579d3af1b487ea3c442870eabe886a4f
n .NETn 98fe909510c79b21e740fec32fb6b1a0n 4a2b8954695b32322508e844ff7e74f5
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart1/4(caseofELF)Initialcommunication
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart2/4(caseofELF)Receiveresponse&Botprocess
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart3/4(caseofELF)ExecuteBotCommand
Copyright©LACCo.,Ltd.AllRightsReserved.
AppendixC–Flowchart4/4(caseofELF)ContinueBotCommand
CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING
We provide IT total solutions based on advanced security technologies.
Copyright©LACCo.,Ltd.AllRightsReserved.
Thank you. Any Questions ?